Sources report that a Coinbase breach is connected to a leak of customer data in India.

Coinbase, the cryptocurrency exchange, was aware as early as January of a data leak involving customer information at an outsourcing firm linked to a larger breach, potentially costing up to $400 million, according to six sources familiar with the situation who spoke to Reuters.

A portion of the breach, which was publicly revealed in a May 14 SEC filing, allegedly occurred when a TaskUs employee based in India took photos of her work computer using her personal phone, as claimed by five former employees of TaskUs.

Three of these ex-employees, along with one person informed about the issue, stated that Coinbase was promptly alerted.
The former employees mentioned they were briefed on the incident by company investigators or colleagues who witnessed it in Indore, India. They indicated that the woman and a suspected accomplice were reportedly passing on Coinbase customer data to hackers in exchange for bribes.

According to the former employees and the informed individual, over 200 TaskUs employees were eventually terminated in a mass layoff that gained attention in Indian media.

Coinbase had earlier attributed the breach to “support agents overseas,” estimating the potential cost at around $400 million.

While the connection between TaskUs and the breach was referenced in a lawsuit filed last week in federal court in Manhattan, the previously unreported details of the incident raise additional questions about when Coinbase first became aware of it.

In the May SEC filing, Coinbase noted that it had knowledge of contractors accessing employee data “without business need” in “previous months.” It was only upon receiving an extortion demand on May 11 that it realized the access was part of a broader initiative, the company stated.

In a Wednesday statement to Reuters, Coinbase indicated that the issue had been recently uncovered and that it had “terminated ties with the TaskUs personnel involved and other overseas agents, and strengthened controls.”

Coinbase did not identify the other foreign agents.

TaskUs mentioned in a statement that two employees were terminated earlier this year for illegally accessing client information, though the client was not specified.

“We promptly reported this activity to the client,” the statement added. “We believe these two individuals were part of a larger, coordinated criminal operation targeting this client, which also affected various other service providers working with it.”

The informed individual confirmed that Coinbase was the client and that the incident occurred in January.

Reuters was unable to determine whether any arrests had been made. Police in Indore did not respond to a request for comment.